| As one of the main network security threat,Botnet is a combination of Viruses,Trojans,Worms.It is propagated in many occasions,such as families,businesses,government agencies.Botnet not only launches most of Distributed Denial of Service attacks(DDoS),but also becomes an important source of Spam.Hackers also use Botnet to steal information,cast phishing,etc.Existing detect approaches either demand external conditions,or limited to detect particular type of Botnet.This paper proposes a detection model only based on network traffic,named HTBC.The model doesn’t need other detection tools,nor rely on the packet content.HTBC is a multi-level complex model,extracting traffic features of time and spatial behavior,then dividing traffic by a two-step clustering.Through continuous cross-match,it can dig out highly suspicious botnet host.The experimental results showed that HTBC has high detection rate and low false negative rate in a real network environment.The main contributions and innovations are as follows:(1)Existing approaches extract Botnet features as a whole,while HTBC model considers time and space features separately,portraying a more rich behavioral pattern of Bots.(2)In terms of similarity clustering,the model propose a multi-level cross-match:cross-match between time and space,with cross-match between different periods.Through this hierarchical matching program,HTBC dig out Bots group while reducing the false positive rate.(3)In addition to the use of Jaccard coefficient as an important metrics in results filtering,HTBC also uses a logistic regression model to filter suspicious hosts,also reduce the false positive rate. |
PDF Full Text Request